Florida’s new Information Protection Act of 2014, which was only just recently passed, will replace the state’s prior data breach notification law and take effect on July 1. The law puts greater and more specific notification requirements on companies that experience a data breach. Although the law only applies in the event unencrypted, unsecured, or unmodified electronic personal information is implicated, “personal information” has been revised (mirroring the recent change in California) to include a user name or e-mail address in combination with a password or security question/answer. In addition to requiring notification of affected individuals, the new law requires covered entities to provide notice to the Florida Department of Legal Affairs of any security breach affecting 500 or more individuals in the state no later than 30 days after “determination of a breach or reason to believe a breach occurred.” Notably, the law is the first of its kind to require companies to provide to the state authorities a police report, incident report, or computer forensics report and a copy of the policies in place regarding breaches upon the state authority’s request.
TIP: The revised obligations to Florida’s breach notice law will likely put greater emphasis on what types of policies companies’ have in place for handling data breach notifications, and what kind of steps (obtaining police reports, conducting forensic investigations) companies have taken prior to notification. Special attention will need to be paid to determine whether these documents were generated under the attorney client privilege. Should the department start requesting these documents, companies will need to navigate this difficult minefield carefully.